On Fri, 2011-06-10 at 11:22 +0200, Jürgen Obermann wrote:
Hello,
is it possible to limit the number of pop3 (or imap) login attempts from one IP with dovecot to stop attackers? We recently had an attack from one IP-address lasting 50 minutes that tried 50000 pop3-logins with guessed users and passwords. I know about Fail2Ban but really would prefer an easy to configure solution inside of dovecot. Dovecot has this anvil daemon, can it be used for that purpose?
We use dovcot version 2.0.12 under Solaris 10, the pop3-login part of the configuration looking like that:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
Hmm. Maybe instead of simply increasing the failure delay, the IP could be disconnected immediately?
We had set default_process_limit=2000. I think this was necessary
during testing the high-security mode and I forgot to set it back to
100 again after switching back to high-perfomance mode
(http://wiki2.dovecot.org/LoginProcess). But even 20k attempts in 50
minutes (or 6 per second) would habe been to much for one real person.
The attack would have taken about 2 hours instead of nearly one.
I admit that fail2ban can stop this attack, but we have solaris and
not linux and therefore the actions fail3ban wants to start are not
available.
Greetings, Juergen
Hochschulrechenzentrum der | Mail: Juergen.Obermann@hrz.uni-giessen.de Justus-Liebig-Universitaet | WWW: http://www.uni-giessen.de/obermann/ Heinrich-Buff-Ring 44 | Tel: 0641-99-13054 (0641-99-13001) D-35392 Giessen, Germany | Fax: 0641-99-13009